Our threat hunts are a contract-based service where we hunt your environment for unauthorized activity and emerging threats. We meet with you to understand what data sources are available to hunt against, verify configuration settings to ensure optimal telemetry, and our team spends time every week hunting for threats in your environment.
Our team has several different categories of hunts, with emerging threats, being the one that tends to resonate with clients the most.
When your company’s leadership, technical or otherwise, asks if you’re impacted by a new APT, ransomware group, or CVE they read about online, our team provides you with answers.
We also perform topical hunts, for example, hunting for privilege escalation on production Linux servers.
Many hunts can return voluminous data and require manual review and judgment calls. Any hunt that doesn’t fall into this category, are reviewed, tuned, and we work with you to convert these from hunts into detection rules in your SIEM or EDR. This effort is highly contextual. For example, public IOCs may indicate IIS should never spawn cmd.exe, but we’ll review your data set and see if that’s true in your environment. We’ve seen many in-house applications and 3rd party products do surprising things. If those edge cases are discovered, we’ll tune a detection rule to account for activity we’ve observed and validated in your environment.
Our threat hunts have uncovered multiple compromises that were not identified by endpoint security controls or SIEM. In these cases, we work with our client and the vendor to share details and open support cases to have those issues addressed in security products when applicable.
If you consume any threat intelligence feeds, we can action those in our hunts, or alternatively, we can optionally bring feeds to you.
The outcome of threat hunts range from:
- Detecting compromises. IntrusionOps' DFIR team is immediately available to respond in these circumstances.
- Creating detection rules to give near real time detection of threat actors, CVE exploitation, or other TTPs.
- Answers for your leadership if and how you’re impacted by some relevant threat or security news (think log4j).